Standards and Policies Collaborations

Helping raise the bar for software security

Standards provide the basis for demonstrating compliance with laws, policies, and regulatory guidelines.

Synopsys DevSecOps tools and services can help organizations comply with laws, regulatory guidance, policies, and standards related to application security (AppSec), software quality, data protection, and privacy. Avoid exploits by finding and fixing weaknesses and vulnerabilities using DevSecOps tools that provide detailed reports listing the specific rules and categories of each standard that the tools address.

To help raise the bar for software security and stay informed about the latest security issues, Synopsys employees serve or have served as subject matter experts for the committees, boards, working groups, programs, and projects related to AppSec standards, policies, and regulatory guidelines listed below.

Automotive Industry Action Group

Automotive Industry Action Group (AIAG)

CERT

Carnegie Mellon University Software Engineering Institute (SEI) Computer Emergency Response Team (CERT) Division

CIS WorkBench

CIS WorkBench

Enterprise Singapore

Enterprise Singapore

incits

International Committee for Information Technology Standards (INCITS)

ITU

International Telecommunication Union (ITU) Telecommunication Standardization Sector (ITU-T)

MISRA

Motor Industry Software Reliability Association (MISRA)

Object Management Group

Object Management Group (OMG)

UL (formerly Underwriters Laboratories)

Auto-ISAC

Automotive Information Sharing and Analysis Center (Auto-ISAC)

Center for Internet Security

Center for Internet Security (CIS)

CISQ

Consortium for Information and Software Quality (CISQ)

IEC

International Electrotechnical Commission (IEC)

ISA

International Society of Automation (ISA)

JasPar

Japan Automotive Software Platform and Architecture (JASPAR)

NIST

National Institute of Standards and Technology (NIST)

SAE International

AutoSar

Automotive Open System Architecture (AUTOSAR)

CIS Benchmarks

CIS Benchmarks

CVE

Common Vulnerabilities and Exposures (CVE)

IEEE

Institute of Electrical and Electronics Engineers (IEEE)

ISO

International Standards Organization (ISO)

JNSA

Japan Network Security Association (JNSA)

NTIA

National Telecommunications and Information Administration (NTIA)

Singapore Standards Council

Singapore Standards Council

CAPEC

Common Attack Pattern Enumeration and Classification (CAPEC)

CIS Benchmarks Community

CIS Benchmarks Community

CWE

Common Weakness Enumeration (CWE)

IEEE Technical Committee

IEEE Technical Committee on Electric and Autonomous Vehicles (TC-EAV)

ITI

Information Technology Industry Council (ITI or ITI-C)

METI

Ministry of Economy, Trade, and Industry (METI)

Oasis Open

Organization for the Advancement of Structured Information Standards (OASIS) Open and SARIF

Standards Development Organization

Standards Development Organisation

Automotive Industry Action Group

AIAG
Member

The Automotive Industry Action Group (AIAG) is a nonprofit organization comprised of original equipment manufacturers (OEMs), suppliers, service providers, government entities, and individuals in academia who work collaboratively to improve quality and reduce costs and complexity in the automotive supply chain. AIAG membership includes leading global manufacturers, parts suppliers, and service providers.

Automotive Information Sharing and Analysis Center

Auto-ISAC community
Participant

The Automotive Information Sharing and Analysis Center (Auto-ISAC) is an industry-driven community that shares and analyzes intelligence about emerging cyber security risks to vehicles and collectively enhances vehicle cyber security capabilities across the global automotive industry, including light- and heavy-duty vehicle OEMs, suppliers, and the commercial vehicle sector. Auto-ISAC defines best practices that are well adopted among OEMs.

Automotive Open System Architecture

AUTOSAR associate partner and working groups
Participant

Automotive Open System Architecture (AUTOSAR) is a worldwide development partnership of vehicle manufacturers, suppliers, service providers, and companies from the automotive electronics, semiconductor, and software industries. AUTOSAR standards are used heavily in safety-critical automotive and aircraft applications.

The AUTOSAR Classic Platform defines a standard architecture and API that ensures interoperability across vendor components. It distinguishes on the highest abstraction level between three software layers that run on a microcontroller: application, runtime environment, and basic software. The AUTOSAR Classic Platform Working Groups develop and maintain the Classic Platform.

The AUTOSAR Adaptive Platform for high-performance computing engine control units (ECUs) implements the AUTOSAR runtime for adaptive applications (ARA). The two types of interfaces include services and APIs. The AUTOSAR Adaptive Platform Working Groups develop and maintain the Adaptive Platform.

AUTOSAR works closely with ISO/IEC JTC 1/SC 22/WG 14,  the ISO C standards committee working group, and ISO/IEC JTC 1/SC 22/WG 21, the ISO C++ standards committee working group.

AUTOSAR and MISRA  announced that their industry standard for best practice in C++ will be integrated into one publication.

Center for Internet Security

CIS Benchmarks community and CIS WorkBench
Participant

The Center for Internet Security (CIS) is a community-driven nonprofit responsible for CIS Controls and CIS Benchmarks, globally recognized best practices for securing information technology (IT) systems and data.

CIS Benchmarks are consensus-developed, secure configuration guidelines for hardening of the cloud, operating systems, phone devices, applications, and middleware. Developed by cyber security professionals and subject matter experts, CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia. The CIS Benchmarks community develops and updates secure configuration guidelines for technology families.

CIS WorkBench is a virtual place to network and collaborate with cyber security professionals from around the world. Activities include helping to draft configuration recommendations for the CIS Benchmarks, submitting tickets, and discussing best practices to secure a wide range of technologies.

Consortium for Information and Software Quality

CISQ governing boards, working groups, and projects
Sponsor, participant

The Consortium for Information and Software Quality (CISQ) is an industry leadership group that develops international standards to automate the measurement of software size and structural quality from the source code. CISQ standards enable organizations that develop or acquire software-intensive systems to measure the operational risk software poses to the business, as well as estimate the cost of ownership.

CISQ was co-founded by:

  • Object Management Group (OMG), an international, open membership, not-for-profit technology standards consortium. OMG standards are driven by vendors, end users, academic institutions, and government agencies. OMG task forces develop enterprise integration standards for a wide range of technologies and industries.
  • Software Engineering Institute (SEI) at Carnegie Mellon University (CMU), a Federally Funded Research and Development Center (FFRDC) sponsored by the U.S. Department of Defense (DOD). FFRDC is a nonprofit, public/private partnership that conducts research for the U.S. government. SEI works with partners throughout the U.S. government, the private sector, and academia. The SEI Computer Emergency Response Team (CERT) Division partners with government, industry, law enforcement, and academia to improve the security and resilience of computer systems and networks. CERT studies problems that have widespread cyber security implications and develops advanced methods and tools to counter large-scale, sophisticated cyber threats.

CISQ members and sponsors include software engineering, security, and quality management professionals and senior leadership responsible for major mission-critical systems from global enterprises, system integrators, service providers, software technology vendors, and public sector institutions. The CISQ roadmap includes the development of new standards, certification programs, and deployment activities to advance the state of practice in software engineering. CISQ sponsors participate in and influence standards development, including the identification of CISQ projects.

The CISQ governing board sets the program direction, including the roadmap for standards development and publication of technical guidance. CISQ projects include the following:

CVE CWE CAPEC ITU

CVE numbering authority, CVE board, and CWE/CAPEC board
Member

The study groups of the International Telecommunication Union (ITU) Telecommunication Standardization Sector (ITU-T) assemble experts from around the world to develop international standards known as ITU-T recommendations that act as defining elements in the global infrastructure of information and communication technologies (ICTs).

ITU-T SG 17 adopted the Cybersecurity Information Exchange (CYBEX) framework initiative that imports best-of-breed standards for platforms developed by government agencies and industry to enhance cyber security and infrastructure protection. The ITU-T CYBEX X.1500 standard series includes:

CVE, CWE, and CAPEC are sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI), which is operated by MITRE.

CVE numbering authorities (CNAs)  are global organizations authorized to assign CVE IDs to vulnerabilities that affect products within their distinct, agreed-upon scope for inclusion in first-time public announcements of new vulnerabilities. These CVE IDs are provided to researchers, vulnerability disclosers, and IT vendors.

The CVE board is comprised of numerous cyber security–related organizations and provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE list.

CWE/CAPEC board members include technical implementers, subject matter experts, and advocates who provide critical input regarding domain coverage, coverage goals, operating structure, and strategic direction for the CWE and CAPEC lists.

IEC committees and working groups

IEC committees and working groups
Member

The International Electrotechnical Commission (IEC) is an international standards organization that prepares and publishes international standards for all electrical, electronic, and related technologies.

IEC develops many standards through joint technical committees including:

  • ISA99 committee       ,
  • ISO/IEC technical committees and working groups for programming languages
  • ISO/IEC technical committee and working group for IT, cyber security, and privacy protection
  • ISO/IEC technical committee for software and systems engineering
IEEE SA advanced corporate program and EAV technical committee

IEEE SA advanced corporate program and EAV technical committee
Member

The Institute of Electrical and Electronics Engineers (IEEE) is a technical professional organization dedicated to advancing technology for the benefit of humanity.

The IEEE Standards Association (IEEE SA) is a consensus-building organization that nurtures, develops, and advances global technologies through IEEE by bringing together a broad range of individuals and organizations to facilitate standards development and standards-related collaboration.

The IEEE SA corporate program facilitates the exploration of new standards opportunities at IEEE, supporting the development of projects around the full life cycle of standards. Its international presence allows for a broad-based focus on new work areas and programs.

The IEEE technical committee on electric and autonomous vehicles (TC-EAV) under the IEEE Reliability Society (RS) brings researchers and practitioners together for interdisciplinary collaborations among academia, industry, and government agencies, including both private and public sectors in areas such as software engineering, communications and networking, computer visions, artificial intelligence and machine learning, cyber-physical systems, testing, validation, and formal verification.

International Committee for Information Technology Standards

INCITS
Member

The International Committee for Information Technology Standards (INCITS) is the U.S. forum dedicated to creating technology standards for the next generation of innovation. INCITS members combine their expertise to create the building blocks for globally transformative technologies, from cloud computing to communications, from transportation to healthcare.

INCITS serves as the U.S. Technical Advisory Group (TAG) for ISO/IEC Joint Technical Committee 1. A U.S. TAG is a committee accredited by the American National Standards Institute (ANSI) to participate in ISO/IEC technical activities. ANSI-accredited U.S. TAGs include the range of U.S. parties interested in and affected by specific ISO/IEC standards.

ISA99 committee

ISA99 committee
Member

The International Society of Automation (ISA) is a professional nonprofit association that develops widely used global standards, certifies industry professionals, provides education and training, publishes books and technical articles, hosts conferences and exhibits, and provides networking and career development programs for its global members and customers.

The ISA99 committee brings together global industrial cyber security experts to develop ISA standards on industrial automation and control systems security. It draws on the input and knowledge of global industrial automation and control systems (IACS) security experts to develop consensus standards that are applicable to all industry sectors and critical infrastructure.

The ISA99 committee develops a series of standards adopted by the IEC including the ISA/IEC 62443 series of standards, which provide a flexible framework to address and mitigate current and future security vulnerabilities in IACS.

ISO technical committees and working groups

ISO technical committees and working groups
Member

The International Standards Organization (ISO) is an independent, nongovernmental, international organization of national standards bodies. Through its members, it brings together experts to share knowledge and develop voluntary, consensus-based, market-relevant international standards that support innovation and provide solutions to global challenges. ISO standards are developed by ISO technical committees.

ISO/IEC technical committees for programming languages

The ISO/IEC Joint Technical Committee 1 (JTC 1) Subcommittee 22 (SC 22) is the international standardization subcommittee for programming languages, their environments, and system software interfaces. SC 22 is also known as the portability subcommittee. JTC 1/SC 22 has working groups (WGs) for various programming languages including:

ISO/IEC technical committee for IT, cyber security, and privacy protection

INCITS serves as the U.S. TAG to ISO/IEC JTC 1/SC 27 for information security, cyber security, and privacy protection. ISO/IEC JTC 1/SC 27/WG 3 security evaluation, testing and specification  codevelops standards for the protection of information and ICT including:

ISO/IEC technical committee for software and systems engineering

ISO/IEC JTC 1/SC 7 for software and systems engineering develops standards for processes, supporting tools, and supporting technologies for the engineering of software products and systems including ISO/IEC/IEEE 15026 systems and software assurance, which defines assurance-related terms and establishes an organized set of concepts and relationships to form a basis for shared understanding across user communities for assurance.

ISO technical committee for E/E components and general system aspects

ISO/TC 22/SC 32 for electrical and electronic (E/E) components and general system aspects develops standards for E/E components and cross-sectional specifications for E/E systems and components including:

ITI

ITI
Member

The Information Technology Industry Council (ITI or ITI-C) is a global advocate for technology. ITI promotes public policies and industry standards that advance competition and innovation worldwide. ITI members include the world's leading innovation companies.

JasPar

JASPAR cyber security technical working group
Participant

The Japan Automotive Software Platform and Architecture (JASPAR) enables the standardization of electronic control systems and software for in-vehicle networks, thereby allowing industrywide common implementation, more efficient development, and increased reliability. Topics include E/E cyber security.

The JASPAR cyber security technical working group works to define and validate the requirements of automotive cyber security technologies based on use cases, including projects like the “A-CST-07-0003 Fuzzing Test Guide.”

Japan Network Security Association (JNSA)

JNSA IoT security working group
Participant

The Japan Network Security Association (JNSA) is a nonprofit organization that promotes network security standardization. JNSA is comprised of working groups including the Survey and Research Committee IoT security working group, which undertakes survey activities and research on information security issues.

Ministry of Economy, Trade, and Industry

METI industrial cyber security study group, working group, and task force
Participant

The Ministry of Economy, Trade, and Industry (METI) helps develop the Japanese economy and industry by promoting economic vitality in private companies and advancing external economic relationships. METI also secures a stable and efficient supply of energy and mineral resources.

METI ensures security in the new supply chains (value creation processes) under the national Society 5.0 policy by integrating cyber space and physical space, as well as the national Connected Industries policy for adding new value by connecting a variety of goods, industries, and people. METI develops the Cyber-Physical Security Framework (CPSF), an overview of required security measures.

The METI WG 1 for systems, technologies, and standardization cross-disciplinary subworking group under the industrial cyber security study group holds discussions on cyber-physical security measures to achieve security in the new supply chains under the Society 5.0 and Connected Industries policies. The Task Force for Examining Software Management Methods for Ensuring Cyber-Physical Security discusses SBOM to identify problems and bring them to the foreground, especially vulnerability in the supply chain.

Motor Industry Software Reliability Association

MISRA steering committee
Participant

The Motor Industry Software Reliability Association (MISRA) is a collaboration between vehicle manufacturers, component suppliers, and engineering consultancies that seek to promote best practices for developing safety-related electronic systems in road vehicles and aircraft.

MISRA works closely with ISO/IEC JTC 1/SC 22/WG 14, the ISO C standards committee working group, and ISO/IEC JTC 1/SC 22/WG 21, the ISO C++ standards committee working group.

MISRA and AUTOSAR announced that their industry standard for best practice in C++ will be integrated into one publication.

National Institute of Standards and Technology

NIST special publications
Contributor

The National Institute of Standards and Technology (NIST) is a physical sciences laboratory and a nonregulatory agency of the U.S. Department of Commerce that promotes innovation and industrial competitiveness.

U.S. policies are created when the Office of Management and Budget (OMB) takes executive orders and turns them into mandates or policies that point to the NIST special publications (SPs), including the NIST SP 800 series for the computer security community such as NIST SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations, which provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations.

The NIST Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. Part of the NIST SCAP uses the CVE, CWE and CAPEC lists.

National Telecommunications and Information Administration

NTIA software component transparency working groups
Member

The National Telecommunications and Information Administration (NTIA), located within the U.S. Department of Commerce, is the executive branch agency that is principally responsible by law for advising the President on telecommunications and information policy issues.

Stakeholders in NTIA software component transparency working groups collaborate in an open and transparent process to address transparency around software components and advocate for software transparency throughout the supply chain, including SBOM standards. An SBOM is a list of all the open-source and third-party components present in a codebase, the licenses that govern those components, the versions of the components used in the codebase, and their patch status.

  • NTIA SBOM framing working group defines and refines the specification of SBOMs, with attention to broader, more scalable adoption obstacles. Topics include component identity and naming, how to share SBOMs, how to characterize nonexploitability vs. vulnerability, SBOM integrity and high-assurance data, SBOMs for the cloud/SaaS, and more.
  • NTIA SBOM awareness and adoption working group promotes SBOM as an idea and a practice. Tasks include building a broader outreach strategy with outreach targets; creating shorter documents with specific outreach goals for sectors, organizational role, and so on; coordinating with related efforts; and providing more explicit business cases for SBOM adoption.
  • NTIA SBOM data formats and tooling working group focuses on how to automate SBOM production and use. Goals include cataloging existing tools for SBOMs in the identified standards, developing a translator between these formats, providing a gap analysis in SBOM tools, and potentially exploring SBOM processes and playbooks.
  • NTIA SBOM healthcare proof of concept working group plans and executes a second proof-of-concept exercise with an expanded set of healthcare participants and the inclusion of IT and security industry partners. It also advises other industry players interested in SBOM demonstrations.
 Organization for the Advancement of Structured Information Standards

OASIS SARIF technical committee
Participant

The Organization for the Advancement of Structured Information Standards (OASIS) aims to set the standard for open collaboration. OASIS Open is where individuals, organizations, and governments come together to solve technical challenges through the development of open code and open standards.

The Static Analysis Results Interchange Format (SARIF) is an industry standard format for the output of static analysis tools. SARIF is an approved OASIS standard. It enables organizations in the safety and security communities to combine and compare the results from multiple competing tools more easily for a more accurate picture of their code issues.

OASIS SARIF technical committee members develop the SARIF interoperability standard for detecting software defects and vulnerabilities. The goal is to define a common output format for static analysis tools that will make it feasible for developers and teams to view, understand, interact with, and manage the results produced by all their tools.

SAE International

SAE committees and working groups
Member

SAE International (previously known as the Society for Automotive Engineers) is a global association of engineers and related technical experts that develops and publishes international standards for global transport industries such as aerospace, automotive, and commercial vehicles.

G-32 cyber-physical systems security committee

The G-32 cyber-physical systems security committee develops documents that address CPSS intended for multisector, cross-industry use to address weaknesses and vulnerabilities of the system and system elements including software, firmware, and hardware. Cross-industry/sector active participation in the committee includes members from industries like aerospace, automotive, defense, medical devices, industrial control devices, IoT, and banking and finance, as well as government and academia.

  • JA6678 for Cyber Physical Systems Security Software Assurance standardizes practices to assess and address software vulnerabilities and weaknesses for a cyber-physical system using systems engineering principles to ensure security and resilience throughout the life cycle of the system; conducts software assurance and analysis, considering impact on the product’s software, hardware, and firmware; addresses different areas of concern that includes consideration of the interfaces and network of the system and command and control that could be manipulated through a physical process and/or physical input of the data flow and computation; and performs design validation and verification to assess security and resiliency of software impacting the cyber-physical system safety, security, and integrity across the complete life cycle.
  • JA6801 Cyber Physical Systems Security Hardware Assurance standardizes practices to assess and address weaknesses and vulnerabilities of the hardware, specifically the EEE components, of a cyber-physical system using systems engineering principles to ensure security and resilience throughout the life cycle of the system; conducts EEE component level assurance and analysis, considering impact on the hardware, software, and firmware, in the product or system; addresses different areas of concern that includes consideration of the interfaces and network of the system and command and control that could be manipulated through a physical process and/or physical input of the data flow and computation; and performs design validation and verification to assess security and resiliency of the cyber-physical system.

Vehicle cyber security systems engineering committee

The vehicle cyber security systems engineering committee WG TEVEES18A serving as the U.S. TAG to ISO, codevelops the Cyber Security Guidebook for Cyber-Physical Vehicle Systems (J3061). The ISO/SAE 21434 cyber security engineering standard for road vehicles builds upon SAE J3061 and provides a similar framework for the entire life cycle of road vehicles.

Data Link Connector vehicle security committee

The Data Link Connector vehicle security committee WG TEVDS20 develops:

  • J3138 for Diagnostic Link Connector Security describes some of the actions that can help ensure safe vehicle operation in the case that any such connected device (external test equipment, connected data collection device) is compromised by a source external to the vehicle. It describes those actions specifically related to SAE J1979, ISO 15765, and ISO 14229 standardized diagnostic services.
  • J3146 for survey of practices for securing the interface through the DLC provides a reference or overview of some current practices for securing the vehicle’s interface with the Data Link Connector (DLC) from cyber security risks associated with external test equipment connections such as diagnostics scan tools or remotely connected applications such as telematics devices. The practices in this report are examples of some secured, in-vehicle data access methods in the automotive industry.
Singapore standards council MSC AVTC

Singapore standards council MSC AVTC working group
Member

The Singapore Manufacturing Federation Standards Development Organisation (SMF-SDO) administers the development, promotion, and implementation of standards to meet the needs of industry and regulators. SMF-SDO is guided by the industry-led Singapore Standards Council, which provides advice on the directions, policies, strategies, and priorities for the Singapore Standardisation Programme, managed by Enterprise Singapore, the national standards body.

The manufacturing standards committee (MSC) identifies, develops, and promotes critical standards to support the growth of the manufacturing and general engineering sectors in Singapore. The MSC autonomous vehicle technical committee (AVTC) oversees the preparation of a new standard and includes the cyber security guidelines working group (WG3) that develops “Technical Reference 68 for Autonomous Vehicles – Part 3 (TR 68 – 3): Cyber Security Principles and Assessment Framework” to promote the safe and secure deployment of fully autonomous vehicles in Singapore.

UL cyber security assurance program

UL cyber security assurance program
Member

UL (formerly Underwriters Laboratories) is a global safety consulting and certification company. UL helps companies demonstrate safety, enhance sustainability, strengthen security, deliver quality, manage risk, and achieve regulatory compliance.

UL 2900 is a series of standards that present general software cyber security requirements for network-connectable products (UL 2900-1), as well as requirements specifically for medical and healthcare systems (UL 2900-2-1), industrial control systems (UL 2900-2-2), and security and life safety signaling systems (UL 2900-2-3).

The UL cyber security assurance program (UL CAP) is a certification program that evaluates the IoT security of network-connectable products and systems. UL CAP uses the UL 2900 series of standards.